[Django] #31896: Allow using unsafe PyYAML utils when loading fixtures
Django
-------------------------------------+-------------------------------------
Reporter: GProst | Owner: nobody
Type: New | Status: new
feature |
Component: Core | Version: 3.1
(Management commands) |
Severity: Normal | Keywords: fixtures
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent
to use some advance utils like `!!python/object/apply`. For example, to
create dates related to the current date for example, and not static dates
that you have to update over time so that they aren't too old.
Anyway, there could be many reasons why a developer would want to use such
an util in features. And I believe it should be safe to use UnsafeLoader
for fixtures since this is certainly a data that developers create
themselves.
Opened a PR: https://github.com/django/django/pull/13320
--
Ticket URL: <https://code.djangoproject.com/ticket/31896>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
Reporter: GProst | Owner: nobody
Component: Core (Management | Version: 3.1
commands) |
Severity: Normal | Resolution:
Keywords: fixtures | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent
> to use some advance utils like `!!python/object/apply`. For example, to
> create dates related to the current date for example, and not static
> dates that you have to update over time so that they aren't too old.
>
> Anyway, there could be many reasons why a developer would want to use
> such an util in features. And I believe it should be safe to use
> UnsafeLoader for fixtures since this is certainly a data that developers
> create themselves.
>
> Opened a PR: https://github.com/django/django/pull/13320
New description:
Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent
to use some advance utils like `!!python/object/apply`. For example, to
create dates related to the current date for example, and not static dates
that you have to update over time so that they aren't too old.
Anyway, there could be many reasons why a developer would want to use such
an util in fixtures. And I believe it should be safe to use UnsafeLoader
for fixtures since this is certainly a data that developers create
themselves.
Opened a PR: https://github.com/django/django/pull/13320
--
--
Ticket URL: <https://code.djangoproject.com/ticket/31896#comment:1>
Django
-------------------------------------+-------------------------------------
Reporter: GProst | Owner: nobody
Component: Core (Management | Version: 3.1
commands) |
Severity: Normal | Resolution:
Keywords: fixtures | Triage Stage:
| Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Old description:
> Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent
> to use some advance utils like `!!python/object/apply`. For example, to
> create dates related to the current date for example, and not static
> dates that you have to update over time so that they aren't too old.
>
> Anyway, there could be many reasons why a developer would want to use
> such an util in fixtures. And I believe it should be safe to use
> UnsafeLoader for fixtures since this is certainly a data that developers
> create themselves.
>
> Opened a PR: https://github.com/django/django/pull/13320
New description:
Currently, Django uses PyYAML's SafeLoader to load fixtures which prevent
to use some advance utils like `!!python/object/apply`. To create dates
related to the current date, for example, and not static dates that you
have to update over time so that they aren't too old.
Anyway, there could be many reasons why a developer would want to use such
an util in fixtures. And I believe it should be safe to use UnsafeLoader
for fixtures since this is certainly a data that developers create
themselves.
Opened a PR: https://github.com/django/django/pull/13320
--
--
Ticket URL: <https://code.djangoproject.com/ticket/31896#comment:2>
Django
-------------------------------------+-------------------------------------
Reporter: German Prostakov | Owner: nobody
Type: New feature | Status: closed
Component: Core | Version: 3.1
(Serialization) |
Severity: Normal | Resolution: wontfix
Keywords: fixtures | Triage Stage:
| Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
* cc: Aymeric Augustin (added)
* resolution: => wontfix
* status: new => closed
* component: Core (Management commands) => Core (Serialization)
Comment:
Thanks for this ticket, however we've changed to a safe loader in
[https://docs.djangoproject.com/en/stable/releases/1.4/#yaml-deserializer-
now-uses-yaml-safe-load Django 1.4] (see
d71b4309ca3c4c7aafc446404f86499c7366a771) and I don't see a strong reason
to revert it. You can always create your own serializer, and add it to the
`SERIALIZATION_MODULES` setting if you need to use the `UnsafeLoader`.
--
Ticket URL: <https://code.djangoproject.com/ticket/31896#comment:3>
Django
-------------------------------------+-------------------------------------
Reporter: German Prostakov | Owner: nobody
Type: New feature | Status: closed
Component: Core | Version: 3.1
(Serialization) |
Severity: Normal | Resolution: wontfix
Keywords: fixtures | Triage Stage:
| Unreviewed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by German Prostakov):
Oh, thanks! I did not think about `SERIALIZATION_MODULES`, this seems like
a better approach indeed!
--
Ticket URL: <https://code.djangoproject.com/ticket/31896#comment:4>